论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2012-03-15 15:16 |只看该作者 |倒序浏览

20可用积分

本帖最后由 GreenAugust 于 2012-03-19 12:23 编辑

请教大家，先谢谢

组件：Postfix+Dovecot+OpenLDAP

Postfix+Cyrus-SASL+OpenLDAP 验证SMTP
Dovecot+OpenLDAP  验证POP

Postfix Dovecot OpenLDAP 使用编译安装

Cyrus-SASL 使用RHL5.4 自带安装RPM包安装

POP和SMTP使用相同的数据库LDAP

问题：用户在发送邮件的时候，突然突出密码验证失败，日志显示 SASL LOGIN authentication failed: authentication failure，使用 testsaslauthd -uuser -ppassword依然验证失败。
登录phpLDAPadmin 登录，查看使用checkpassword 检查用户密码为正确的密码，排除用户更改密码的可能性。POP收取邮件正常，用户登录正常
问题是，这只是部分用户，没有大规模用户验证失败。
贴出配置：
Postfix  main.cf

————————————————————————————————————————————————————————————

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
myhostname = ********************
mydestination = $myhostname,localhost
unknown_local_recipient_reject_code = 550
mynetworks = 127.0.0.0/8,192.168.254.0/24

debug_peer_level = 2
debugger_command =
      PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
      xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/local/man
sample_directory = /etc/postfix
readme_directory = no
virtual_mailbox_domains = ********************
virtual_mailbox_base = /mail
#virtual_alias_maps = ldap:/etc/postfix/ldapalias.cf.autoreply
#virtual_alias_maps = ldap:/etc/postfix/ldapalias.cf
virtual_alias_maps = ldap:/etc/postfix/ldapalias.cf.autoreply,ldap:/etc/postfix/ldapalias.cf
virtual_mailbox_maps = ldap:/etc/postfix/ldap-mailbox.cf
virtual_mailbox_limit = 0

virtual_mailbox_limit_inbox = no
virtual_mailbox_limit_maps = ldap:/etc/postfix/quota.cf
virtual_overquota_bounce = yes
virtual_maildir_limit_message = Sorry, the user's maildir has overdrawn his diskspace quota, please try again later.

virtual_uid_maps    = static:1000
virtual_gid_maps    = static:1000
local_recipient_maps = proxy:unix:passwd.byname $alias_maps $virtual_mailbox_maps

smtpd_sasl_auth_enable = yes
#smtpd_sasl_path = smtp
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions =
permit_mynetworks
permit_auth_destination
permit_sasl_authenticated
reject
#broken_sasl_auth_clients = yes

transport_maps = hash:/etc/postfix/transport
virtual_transport = virtual
#relayhost = 192.168.254.173
#relayhost = 192.168.254.173

smtpd_use_tls = yes
smtpd_tls_key_file = /etc/pki/tls/private/localhost.key
smtpd_tls_cert_file = /etc/pki/tls/certs/localhost.crt
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd__scache
#smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
#smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache

smtpd_tls_loglevel = 1
bounce_queue_lifetime = 3d
maximal_queue_lifetime = 3d

[root@web postfix]# clear
[root@web postfix]# cat /etc/smtpd.conf
pwcheck_method: saslauthd
mech_list: login plain
[root@web postfix]# vim main.cf
[root@web postfix]# vim main.cf
[root@web postfix]# postfix reload
postfix/postfix-script: refreshing the Postfix mail system
[root@web postfix]# cat main.cf
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
myhostname = ****************************
mydestination = $myhostname,localhost
unknown_local_recipient_reject_code = 550
mynetworks = 127.0.0.0/8

debug_peer_level = 2
debugger_command =
      PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
      xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/local/man
sample_directory = /etc/postfix
readme_directory = no

virtual_mailbox_domains = **************************
virtual_mailbox_base = /mail
virtual_alias_maps = ldap:/etc/postfix/ldapalias.cf.autoreply,ldap:/etc/postfix/ldapalias.cf
virtual_mailbox_maps = ldap:/etc/postfix/ldap-mailbox.cf
virtual_mailbox_limit = 0
virtual_mailbox_limit_inbox = no
virtual_mailbox_limit_maps = ldap:/etc/postfix/quota.cf
virtual_overquota_bounce = yes
virtual_maildir_limit_message = Sorry, the user's maildir has overdrawn his diskspace quota, please try again later.
virtual_uid_maps    = static:1000
virtual_gid_maps    = static:1000
local_recipient_maps = proxy:unix:passwd.byname $alias_maps $virtual_mailbox_maps

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions =
permit_mynetworks
permit_auth_destination
permit_sasl_authenticated
reject
broken_sasl_auth_clients = yes

transport_maps = hash:/etc/postfix/transport
virtual_transport = virtual

smtpd_use_tls = yes
smtpd_tls_key_file = /etc/pki/tls/private/localhost.key
smtpd_tls_cert_file = /etc/pki/tls/certs/localhost.crt
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd__scache
#smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
#smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache

smtpd_tls_loglevel = 1
bounce_queue_lifetime = 3d
____________________________________________________________________________________

SASL 配置文件
——————————————————————————————————————————————————————
cat /etc/saslauthd.conf
ldap_servers: ldap://127.0.0.1
ldap_bind_dn: cn=root,o=sesc,c=cn
ldap_bind_pw: 123456
ldap_search_base: ou=People,o=sesc,c=cn
ldap_version: 3
ldap_auth_method: bind
ldap_filter: (virtualdomainuser=%u)

cat /etc/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: login plain

grep -Ev "^$|#" /etc/sysconfig/saslauthd
SOCKETDIR=/var/run/saslauthd
MECH=ldap
FLAGS=

————————————————————————————————————————————————————————
以上；谢谢

目前我只有20积分，如果问题解决，可以提供给你$。感谢
_______________________________________________________________________________________

saslauthd

验证错误日志

Mar 11 12:48:01 china1 saslauthd[3742]: Retrying authentication
Mar 11 12:51:21 china1 saslauthd[3739]: Retrying authentication
Mar 11 12:58:50 china1 saslauthd[3738]: Retrying authentication
Mar 11 13:37:01 china1 saslauthd[3739]: Retrying authentication
Mar 11 14:10:48 china1 saslauthd[3738]: Retrying authentication
Mar 11 14:14:45 china1 saslauthd[3739]: Retrying authentication
Mar 11 14:14:45 china1 saslauthd[3739]: do_auth       : auth failure: [user=c11589] [service=smtp] [realm=] [mech=ldap] [reason=Unknown]
Mar 11 14:15:00 china1 saslauthd[3742]: Retrying authentication
Mar 11 14:15:00 china1 saslauthd[3742]: do_auth       : auth failure: [user=c11589] [service=smtp] [realm=] [mech=ldap] [reason=Unknown]
Mar 11 14:15:16 china1 saslauthd[3739]: do_auth       : auth failure: [user=c11589] [service=smtp] [realm=] [mech=ldap] [reason=Unknown]
Mar 11 14:17:20 china1 saslauthd[3738]: Retrying authentication
Mar 11 14:18:56 china1 saslauthd[3741]: Retrying authentication
Mar 11 15:12:07 china1 saslauthd[3738]: Retrying authentication
Mar 11 15:54:14 china1 saslauthd[3741]: Retrying authentication
Mar 11 15:58:29 china1 saslauthd[3738]: Retrying authentication
Mar 11 16:04:07 china1 saslauthd[3738]: Retrying authentication

使用 testsaslauthd -uc1589 -p123456 验证出现以下错误

Mar 11 14:15:16 china1 saslauthd[3739]: do_auth       : auth failure: [user=c11589] [service=smtp] [realm=] [mech=ldap] [reason=Unknown]

然后到phpLDAPadmin里面验证密码，却是是正确的密码。POP同样使用LDAP验证，没有出现验证错误。

结构图